TestFlight iOS 1.19.26 release

Yes. But not giving someone else access to your email account seems like the solution here?

4 Likes

I am not sure anyone would knowingly give others access to passwords (nor should they) but that is not to say email accounts can be compromised.

Putting it another way. If you set up a payment to someone you are asked to enter your card pin. To get access to the cards pin in the app you need photo ID and to record a video. So asking for your card pin when trying to send a card to a different address would also seem logical.

Just relying on your phone being secure when in reality you just need a compromised email account to install the app/access on any device seems way too insecure. Especially when the app could be holding thousands now itā€™s a full current account.

Theyā€™d need continued access to your phone in order to activate your card if they did manage to get it sent to their address..

And you wouldnā€™t be liable any money thatā€™s taken from the account if your card was stolen so Monzo would reimburse you.

Just to jump in here, there are a few more protections than you see but even if someone were to get a debit card sent to an alternative address, they will need both continued access to your app in addition to your card PIN to activate it. :1234: :slightly_smiling_face:

7 Likes

The majority of changes in this release arenā€™t user-facing ones, but squishing lots of nasty bugs and preparing things in the background for future user-facing updates :grinning:

The new delivery address flow is a big one for us!

Previously, changing your delivery address required getting in touch with us through in-app support and represented a massive 10% of user queries (I think that statistic was from January rather than all time, but itā€™s historically always represented a large amount of queries). Now this is something users can do themselves!

8 Likes

But that is what I mean they need continued access to your account but that does not have to be on your phone.

1 Like

I couldnā€™t remember if card activation was behind the pin or not so that is good :slightly_smiling_face:

Though app access I still see as a different concern.

It is great this is being automated. One step closer to customers being able to self serve :sunglasses:

I think we need to look at risk and proportionate security. Monzo will likely have had to document and agree security provisions with their regulator.

The email point is well made, but applicable to many/most internet services. How many can you regain access to via email? (Not to dismiss it, but we should all take measures to protect ourselves - itā€™s wider than Monzo).

All in, my view is that Monzo is doing the right thing in reducing security friction. I understand that some people have an emotive need for additional security (ā€œit doesnā€™t feel secureā€) - this is valid and might require additional options (like fingerprint auth to get into the app on Android), but I think we should a) trust the Monzo security folk (whoā€™ll know much more about checks we canā€™t see) and b) secure what we can (including email and access to our devices).

(On that emotive security point, Iā€™d personally feel safer and more in control if there was a web interface to freeze cards / service accounts etc. I think thereā€™s an unemotive need for this too, but thatā€™s another story :wink:)

6 Likes

Yeah I understand what you are saying. And I guess if the customer is not liable for any ā€˜Fraudā€™ it is as much about Monzo protecting themselves as much as the customers perceived protections. So would expect this to evolve as Monzo starts seeing any Fraudulent trends and adapt accordingly.

Coming from a company view of being extremely risk averse you become accustom to security being in place for everything. Whereas Monzo have the unique position to start with less and add more in as appropriate.

Though I do think options being held behind a card pin to be very affective and a frictionless solution as a security measure.

Itā€™s exactly the same as someone hacking your emailā€¦ clicking forgotten password and accessing your account that wayā€¦ a hacker can get into any of your online accounts with access to your email server in no time at allā€¦

Bank, Energy supplier, Council Tax, HMRC anything reallyā€¦ unless you have 2 Factory Auth so its as secure as anything else on the internetā€¦

3 Likes

Haha, not HMRC. Itā€™s a challenge to the actual user to get into their HMRC account! One of the best Twitter threads ever in my opinion (itā€™s a series of four, well worth reading them all):

https://twitter.com/jbwol/status/957252002584711168

Seriously, though, HMRC requires 2FA.

9 Likes

It is a PITA having 2FA on HMRC. Someone I know got divorced. Their ex has to ring them for a code to get into their HMRC account. They want to change the mobile number that receives the code but HMRC say it is nothing to do with them and to contact your Gov.Verify provider. They have contacted all of them and every one suggests they try contacting a different provider, none will admit to being the one they registered with. :slight_smile:

2 Likes

Hey @Frankiejr! Thank you for your feedback. We indeed want the keyboard to be dismissed and weā€™re sorry this hasnā€™t been dealt with before. Watch out for a fix coming very soon!

4 Likes

Still havenā€™t resolved the ā€˜jumpā€™ that occurs when you switch from any tab to the Account tab.

Everything jumps up a certain amount of pixels but not the first time.

Once you see it you can never unsee it! :flushed:

2 Likes

Hi @matthewjvoce. This is on our radar and weā€™ll have a fix for it very soon!

6 Likes

I never noticed that beforeā€¦ now its annoying me :rofl::rofl:

4 Likes

I loved the four-asterisk PIN button, so Iā€™m very sad to see it go :disappointed:

2 Likes

Hey all! 1.9.26 is now publicly available :tada:

Letā€™s discuss it here.

1 Like